Hi jack log processor runs at 100%

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

joker007

Thread Starter
Joined
Jul 13, 2003
Messages
40
I have a relatives machine here.
The machine was running so slow from something taking up the processor resources that I couldn't remove the problems.
The system tools show that the processor at 100% constantly.

There are unwanted search bars that I also need to remove.
I have more experience with 98 then XP.

There are eight user profiles on this machine.

I have ran the latest Spybot and saved the report . I have the latest downloads of "Hijack this", "Ad Aware", "Spybot S&D", and CW Shredder on the XP machine.

I have turned off the system restore.
I ran Spybot clicked on checked the find problems and then I allowed Spybot to repair the problems. the software asked to run on Start up.
I restarted the software ran and at the end Spybot said it could not remove some problem stuff because it was currently running.

These are the steps I taken so far.

1.) I installed AVG antivirus allowed it to update then ran it. I allowed it to correct 17 problems it found.

2. I visited Trend microsystems and had the entire system scanned over the net. The trend scan found and removed a redirecter from two of the user profiles.

3. Installed, updated and ran Spybot 1.3 allowed the software to make corrections.
I allowed the software to save a registry copy I did not allow it to immunize because I don't know what that does.

4. I have installed ran the AdAware (made no changes) saved the log to the desktop.

5. Installed HiJack this ran a scan (made no corrections) saved the log to the desktop.

6. Installed CW shredder did not run.

7. I changed the home page to google so I would have fewer popups from the MSN page.


Thanks for your time


Here is the Hijackthis log:

Logfile of HijackThis v1.98.0
Scan saved at 3:21:22 PM, on 8/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\paprport\pptd40nt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\docume~1\sarah\locals~1\temp\vWOHO.exe
C:\docume~1\sarah\locals~1\temp\a1hk3.exe
C:\docume~1\sarah\locals~1\temp\vWOHO.exe
C:\docume~1\sarah\locals~1\temp\a1hk3.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\WINDOWS\System32\igmoin.exe
C:\documents and settings\diego\local settings\temp\HJ92lZk.exe
C:\documents and settings\diego\local settings\temp\HJ92lZk.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ZtjNI3.exe
C:\WINDOWS\System32\NhgL.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\WINDOWS\System32\mod2c.exe
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patricia\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Patricia\Local Settings\Temp\Vt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [vWOHO] C:\docume~1\sarah\locals~1\temp\vWOHO.exe
O4 - HKLM\..\Run: [a1hk3] C:\docume~1\sarah\locals~1\temp\a1hk3.exe
O4 - HKLM\..\Run: [2J7YMWA35BMGA3] C:\WINDOWS\System32\Jel3872.exe
O4 - HKLM\..\Run: [vWOHO.exe] C:\docume~1\sarah\locals~1\temp\vWOHO.exe
O4 - HKLM\..\Run: [a1hk3.exe] C:\docume~1\sarah\locals~1\temp\a1hk3.exe
O4 - HKLM\..\Run: [AutoLoader0F571NYXaWaX] "C:\WINDOWS\System32\shftfp.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [0smh33l] igmoin.exe
O4 - HKLM\..\Run: [HJ92lZk] C:\documents and settings\diego\local settings\temp\HJ92lZk.exe
O4 - HKLM\..\Run: [HJ92lZk.exe] C:\documents and settings\diego\local settings\temp\HJ92lZk.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaalit.exe /SYSTRAY
O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [WindowsMGM] C:\WINDOWS\winmgm32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [HB5nRTJ3l] mod2c.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://raven.veloz.com/pub/download/scandl_blocks.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O20 - AppInit_DLLs: NVDESK32.DLL
 
Joined
Oct 13, 2003
Messages
2,367
Well...Hope you're at your relative's home for a while. That's a messed up machine and we need a HJT log from each account. Let's just stick with this one until it's clean...then we'll move on to the next.

First run this uninstaller to get rid of the peper.a trojan:

http://www.zerosrealm.com/downloads/uninst.exe

*Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.


Go to Add or Remove Programs, in the control panel, and uninstall MyWay (or anything that sounds similar), BearShare, WeatherBug and PNetAware.


Restart the computer.

Before we start, let's disable your System Restore. After the infection's been cleaned re-enable system restore.
Disabling System Restore in Windows XP Disable System Restore in Windows ME

IF, for some reason, you lose the ability to use IE or lose your internet connection...open HJT-->"Config"-->"Backups"-->"Restore".


Open HiJackThis. Click "Scan". Put a checkmark next to these:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Patricia\Local Settings\Temp\Vt.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

O4 - HKLM\..\Run: [vWOHO] C:\docume~1\sarah\locals~1\temp\vWOHO.exe

O4 - HKLM\..\Run: [a1hk3] C:\docume~1\sarah\locals~1\temp\a1hk3.exe

O4 - HKLM\..\Run: [2J7YMWA35BMGA3] C:\WINDOWS\System32\Jel3872.exe

O4 - HKLM\..\Run: [vWOHO.exe] C:\docume~1\sarah\locals~1\temp\vWOHO.exe

O4 - HKLM\..\Run: [a1hk3.exe] C:\docume~1\sarah\locals~1\temp\a1hk3.exe

O4 - HKLM\..\Run: [AutoLoader0F571NYXaWaX] "C:\WINDOWS\System32\shftfp.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [0smh33l] igmoin.exe

O4 - HKLM\..\Run: [HJ92lZk] C:\documents and settings\diego\local settings\temp\HJ92lZk.exe

O4 - HKLM\..\Run: [HJ92lZk.exe] C:\documents and settings\diego\local settings\temp\HJ92lZk.exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaalit.exe /SYSTRAY

O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

O4 - HKCU\..\Run: [WindowsMGM] C:\WINDOWS\winmgm32.exe

O4 - HKCU\..\Run: [HB5nRTJ3l] mod2c.exe

O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe


O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab





Close ALL browser windows (except HiJackThis ;) ) and click "Fix checked."


Re-start your computer.


NEXT:


Re-start your computer into safe mode:

How to start your computer in Safe Mode

NEXT:

Because XP will not always show you hidden files and folders by default, Go to Start > Search under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on "My Computer". Go to "Tools" ---> "Folder Options". Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also, uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK".


NEXT:

Find and delete:

ClearSearch folder

MyWay folder

AutoUpdate.exe

igmoin.exe

BearShare folder

Weatherbug folder

winmgm32.exe

mod2c.exe







Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

http://www.computerhope.com/issues/ch000225.htm

Next navigate to the C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.


Empty the Recycle Bin


Re-start your computer and post another HJT log.
 

joker007

Thread Starter
Joined
Jul 13, 2003
Messages
40
The puter is here. I need to plug it in and we'll be ready to Rock and Roll. I'll let you know when I start your instructions.
 
Joined
Oct 13, 2003
Messages
2,367
OK. I don't know if I'll be around long enough for all 8 profiles. lol. I guess we've got to start SOMEWHERE. :D
 

joker007

Thread Starter
Joined
Jul 13, 2003
Messages
40
Small problem .. The computer is not connected to the internet. I can download the program and burn a disk for the new software but I'd have to reconfigure the puter for my DSL settings.
 
Joined
Oct 13, 2003
Messages
2,367
Yea, the peper.a trojan's a pain in the a**. Unfortunately, it's the only way I know of to clean it. It morphs.
 

joker007

Thread Starter
Joined
Jul 13, 2003
Messages
40
Can we start the cleaning without being connected to the net and finish tomorrow ? I'm in calif you are two hours ahead of me.
 

joker007

Thread Starter
Joined
Jul 13, 2003
Messages
40
Help I'm STUCK.
There was'nt any Igmoin.exe to remove.
There was no winmgm32.exe,however, There was a winmgm.exe I left it there

I got stuck here.
I followed all the instructions up to the deleting of the temp folder.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

I am in C:\windows\temp and I don't see a folder (s) marked TEMP.

What I see is folder icons titled
_ISTMP0.DIR
_ISTMP1.DIR
_ISTMP2.DIR
_ISTMP3.DIR
_ISTMP4.DIR
ALTNET
BULLGUARD
HP 3041
WER1D.TMP.DIR

~GLBS914.exe application
Then following this entry there are several icons that look like HP log files.
miscellaneous icons and some text files.

I'm still in safe mode and waiting for instructions.
Thanks again for all your help
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top